15 total posts
Microsoft: Home Server sports serious security
Thursday, 11 January 2007, 1:15 AM CET
Microsoft's upcoming Windows Home Server software will include security features taken from its enterprise-grade Windows Server 2003 software, but will not work as a central distributor for patches to PCs on the home network, a Microsoft executive said Wednesday.
Read more: http://www.net-security.org/news.php?id=13231
Microsoft confirms NSA's role in Vista security
Thursday, 11 January 2007, 12:27 AM CET
The NSA's involvement with Windows Vista -- which was confirmed by Microsoft this week -- is not the first time the NSA has provided guidance to Redmond. The NSA previously collaborated with Microsoft on the best methods to secure Windows XP and Windows 2000. The agency also has been credited with reviewing the Vista Security Guide published on Microsoft's Web site.
New PayPal key to help thwart phishers
Additional password-generating security measure should be opened to beta users within the next month
Over the next few months, Ebay will be offering its PayPal users a new tool in the fight against phishers: a $5 security key.
The security key is actually a small electronic device, designed to clip on to a keychain, that calculates a new numeric password every 30 seconds. PayPal users who sign up to use the device will need to enter their regular passwords as well as the number displayed on the key whenever they log in to the online payment service.
Free hacker scan for universities, nonprofits
Acunetix is offering universities and nonprofit organizations a free Web site security scan and reporting service
Web application security vendor Acunetix Wednesday announced it would make available for free a Web site security scan and reporting service to universities and nonprofit organizations.
Open source to go under the radar in 2007
Posted by Dana Blankenhorn
We are only two weeks into 2007 and one trend already seems clear.
Open source will fly under the radar in 2007.
The media explosion that hit after the realization Linux was competitive with Windows in the server business and the SCO suit is getting old.
New stories have replaced it. Windows Vista. The Apple iPhone (or whatever). Wireless gadgets of all types are now the official story of the decade.
Open source, by contrast, is for geeks.
Read more: http://blogs.zdnet.com/open-source/?p=905
Next versions of Internet Explorer, Firefox taking shape
Posted by Mary Jo Foley
Microsoft and the Mozilla Foundation are pushing ahead with their respective next versions of their Web browsers. Their methods are different, but many of their priorities are ? at least in theory ? quite similar.
The Mozilla Foundation has published to a public wiki a list of its developers' plans for Firefox 3 (code-named "Gran Paradiso). Gran Paradiso is slated to be available in the third/fourth quarter of 2007 timeframe.
Microsoft disclosed last summer that the IE team is working on the next two releases of Internet Explorer (IE). But the company isn't expected to show a prototype of its work until the Microsoft Mix '07 conference in late April 2007.
Read more: http://blogs.zdnet.com/microsoft/?p=196
Bug eats into Apple security patch software
Apple bug project finds a vulnerability in rival group's software
Matt Chapman, vnunet.com 11 Jan 2007
The group behind the Month of Apple Bugs (Moab) project has found a flaw in software designed to fix security issues on Apple Macs.
The vulnerability affects the Application Enhancer (Ape) software, which was designed by a rival group trying to combat the flaws highlighted by Moab.
The bug could allow malicious users on a local system to replace Ape's binary code and take control of the root privileges on a computer.
Read more: http://www.vnunet.com/vnunet/news/2172335/apple-flaw-found-security-patch
IT security experts warn of phishing kit peril
Universal Man-in-the-Middle phishing kit discovered by RSA
Robert Jaques, vnunet.com 11 Jan 2007
Security experts have warned that a previously undocumented phishing kit is being sold and used online by fraudsters.
The newly uncovered Universal Man-in-the-Middle Phishing Kit is designed to allow cyber-criminals to create sophisticated attacks against global organisations in which the victims communicate with a legitimate website via a fraudulent URL.
Security firm RSA's Anti-Fraud Command Center warned that this allows the fraudster to capture victims' personal information in real time.
Read more: http://www.vnunet.com/vnunet/news/2172366/security-experts-warn-phishing
Microsoft Patches Mac Office
The updates to Office 2004 for Mac and Office v.X for Mac released Tuesday patched five vulnerabilities in the suites' Excel spreadsheet.
By Gregg Keizer
Jan 11, 2007 11:44 AM
Microsoft updated its Office suite for the Mac to quash several bugs in the Excel spreadsheet and get the software ready for new Daylight Savings Time rules that go into effect in March.
The updates to Office 2004 for Mac and Office v.X for Mac released Tuesday patched five vulnerabilities in the suites' Excel spreadsheet that could let attackers hijack a computer by duping users into opening malformed worksheets. Microsoft ranked the flaws as "important," the second-most dangerous rating in its four-level threat scoring system. These updates, said Microsoft, include "fixes for vulnerabilities that an attacker can use to overwrite the contents of your computer's memory with malicious code."
The Redmond, Wash., developer also patched the Windows versions of Excel Tuesday.
Read more: http://www.informationweek.com/story/showArticle.jhtml?articleID=196900152&cid=RSSfeed_IWK_Security
Google annoys Web site owners with malware alerts
They say their sites are just fine
January 11, 2007 (IDG News Service) -- Some Web site operators are complaining that Google Inc. is flagging their sites as containing malicious software, when they believe their sites are harmless.
At issue is an "interstitial" page that appears after a user has clicked on a link within Google's search engine results. If Google believes a site contains malware, the page will appear, saying "Warning -- visiting this Web site may harm your computer!"
Google does not block access to the sites, but a user would have to manually type in a Web site address to continue. Organizations are complaining their sites do not contain malicious software, and say the warning is embarrassing.
"We have no bad software or installs or anything that would indicate a need to ban people from viewing our site," wrote Matt Blatchley, who works for the Greenbush Southeast Kansas Education Service Center, in a posting last Friday to Google Groups.
Google's warning page contains a link to stopbadware.org, a project designed to study legal and technical issues concerning spyware, adware and other malicious software.
Read more: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9007822&source=rss_topic17
'Month of Apple Bugs' turns up 10 vulnerabilities -- so far
There's more to come, says one of the researchers behind the effort
January 11, 2007 (Computerworld) -- A month-long campaign by two independent security researchers to disclose security flaws in Apple Inc.'s products has so far resulted in 10 vulnerabilities being publicly disclosed -- and several more on the verge of being announced. Exploit information has also been published, along with proof-of-code detailing how to take advantage of the flaws, several of which were described as being remotely exploitable by the researchers.
The disclosures are part of a Month of Apple Bugs (MoAB) effort launched on Jan. 1 by independent security researcher Kevin Finisterre and another researcher identified only by the initials LMH.
Read more: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9007883&source=rss_topic17
Mac flaw puts Safari surfers at risk
By Dawn Kawamoto, CNET News.com
Published on ZDNet News: January 11, 2007, 11:54 AM PT
ZDNet Tags: Mac OS, Security threats, Apple Computer Inc
A serious security flaw in Mac OS X opens machines with Apple's Safari Web browser to hijack by outsiders, Secunia has warned.
The vulnerability and "proof of concept" code to exploit it were released on Wednesday as part of the Month of Apple Bugs project. It affects Mac OS X 10.4.8, the most recent version of Apple's operating system and, possibly, previous versions, security researcher LMH said in the posting on MOAB's Web site.
The flaw can be exploited if the Mac user has enabled an option in Safari to "open safe files after downloading," Secunia said in an advisory Thursday. The security company has rated the problem "highly critical."
Read more: http://news.zdnet.com/2100-1009_22-6149498.html
CA backup and recovery solution contains flaws
Dan Kaplan Jan 11 2007 22:34
Two vulnerabilities were reported today in a CA backup and recovery solution that, if exploited, could allow an attacker to execute remote code and gain unauthorized administrative privileges.
The flaws, discovered by the X-Force research and development team at IBM Internet Security Systems (ISS), are found in CA Brightstor ARCserve, a storage solution largely deployed by small- and medium-size businesses.
According to IBM ISS advisories released today, the two bugs are similar and can be exploited through a stack-based buffer overflow. This could lead to the exposure of confidential information, loss in productivity and a compromised network.
Read more: http://www.scmagazine.com/us/news/article/625762/ca-backup-recovery-solution-contains-flaws/
Vulnerability reported in Snort intrusion prevention system
Dan Kaplan Jan 11 2007 21:36
Researchers from the University of Wisconsin in Madison have discovered a vulnerability in open-source intrusion prevention technology Snort which can be exploited to launch a DoS attack.
Vulnerability tracking firm Secunia graded the flaw "less critical," according to an advisory released today. The rule-matching algorithm of Snort can be exploited remotely to run time-consuming operations that cannot be detected and can lead to a DoS condition, the advisory explained.
The bug was reported in version 2.4.3.
Users are urged to update to the latest version.
Read more: http://www.scmagazine.com/us/news/article/625759/vulnerability-reported-snort-intrusion-prevention-system/